c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09-11-2024 22:49

241109-2r2veatfrl 10

09-11-2024 22:47

09-11-2024 22:46

09-11-2024 22:44

07-11-2024 16:00

10-02-2024 17:17

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1720	sc.exe
2692	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
632	ipconfig.exe

Runs net.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1524	1152	cmd.exe	32
PID 1152 wrote to memory of 1524	1152	cmd.exe	32
PID 1152 wrote to memory of 1524	1152	cmd.exe	32
PID 1152 wrote to memory of 1972	1152	cmd.exe	33
PID 1152 wrote to memory of 1972	1152	cmd.exe	33
PID 1152 wrote to memory of 1972	1152	cmd.exe	33
PID 1152 wrote to memory of 492	1152	cmd.exe	34
PID 1152 wrote to memory of 492	1152	cmd.exe	34
PID 1152 wrote to memory of 492	1152	cmd.exe	34
PID 1152 wrote to memory of 2092	1152	cmd.exe	35
PID 1152 wrote to memory of 2092	1152	cmd.exe	35
PID 1152 wrote to memory of 2092	1152	cmd.exe	35
PID 1152 wrote to memory of 2480	1152	cmd.exe	36
PID 1152 wrote to memory of 2480	1152	cmd.exe	36
PID 1152 wrote to memory of 2480	1152	cmd.exe	36
PID 1152 wrote to memory of 1648	1152	cmd.exe	37
PID 1152 wrote to memory of 1648	1152	cmd.exe	37
PID 1152 wrote to memory of 1648	1152	cmd.exe	37
PID 1152 wrote to memory of 2552	1152	cmd.exe	38
PID 1152 wrote to memory of 2552	1152	cmd.exe	38
PID 1152 wrote to memory of 2552	1152	cmd.exe	38
PID 1152 wrote to memory of 2208	1152	cmd.exe	39
PID 1152 wrote to memory of 2208	1152	cmd.exe	39
PID 1152 wrote to memory of 2208	1152	cmd.exe	39
PID 1152 wrote to memory of 2716	1152	cmd.exe	40
PID 1152 wrote to memory of 2716	1152	cmd.exe	40
PID 1152 wrote to memory of 2716	1152	cmd.exe	40
PID 1152 wrote to memory of 2464	1152	cmd.exe	41
PID 1152 wrote to memory of 2464	1152	cmd.exe	41
PID 1152 wrote to memory of 2464	1152	cmd.exe	41
PID 1152 wrote to memory of 2256	1152	cmd.exe	42
PID 1152 wrote to memory of 2256	1152	cmd.exe	42
PID 1152 wrote to memory of 2256	1152	cmd.exe	42
PID 1152 wrote to memory of 2732	1152	cmd.exe	43
PID 1152 wrote to memory of 2732	1152	cmd.exe	43
PID 1152 wrote to memory of 2732	1152	cmd.exe	43
PID 1152 wrote to memory of 2780	1152	cmd.exe	44
PID 1152 wrote to memory of 2780	1152	cmd.exe	44
PID 1152 wrote to memory of 2780	1152	cmd.exe	44
PID 1152 wrote to memory of 2904	1152	cmd.exe	45
PID 1152 wrote to memory of 2904	1152	cmd.exe	45
PID 1152 wrote to memory of 2904	1152	cmd.exe	45
PID 1152 wrote to memory of 2916	1152	cmd.exe	46
PID 1152 wrote to memory of 2916	1152	cmd.exe	46
PID 1152 wrote to memory of 2916	1152	cmd.exe	46
PID 1152 wrote to memory of 2920	1152	cmd.exe	47
PID 1152 wrote to memory of 2920	1152	cmd.exe	47
PID 1152 wrote to memory of 2920	1152	cmd.exe	47
PID 1152 wrote to memory of 2776	1152	cmd.exe	48
PID 1152 wrote to memory of 2776	1152	cmd.exe	48
PID 1152 wrote to memory of 2776	1152	cmd.exe	48
PID 1152 wrote to memory of 2748	1152	cmd.exe	49
PID 1152 wrote to memory of 2748	1152	cmd.exe	49
PID 1152 wrote to memory of 2748	1152	cmd.exe	49
PID 1152 wrote to memory of 2628	1152	cmd.exe	50
PID 1152 wrote to memory of 2628	1152	cmd.exe	50
PID 1152 wrote to memory of 2628	1152	cmd.exe	50
PID 1152 wrote to memory of 2196	1152	cmd.exe	51
PID 1152 wrote to memory of 2196	1152	cmd.exe	51
PID 1152 wrote to memory of 2196	1152	cmd.exe	51
PID 1152 wrote to memory of 2812	1152	cmd.exe	52
PID 1152 wrote to memory of 2812	1152	cmd.exe	52
PID 1152 wrote to memory of 2812	1152	cmd.exe	52
PID 1152 wrote to memory of 2784	1152	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 1412188693152422845
  2⤵
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 7906107751644012807
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 28090159192389515539
  2⤵
  PID:492
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 237599180293792903
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 754220601175329657
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 2378111949316475465
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 1233510896459329361
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 3186218703710022459
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 12123201132556223476
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 2348214555359931776
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 37334144132125902
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 28749214371179223197
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 15601333112219903
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 1015960731183722077
  2⤵
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 3207117914860324571
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 65955025242132430
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 1320322392802531147
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 19281809679817105
  2⤵
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 25316194781624430442
  2⤵
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 132260351494320766
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 1082429575211906281
  2⤵
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 804414891296718254
  2⤵
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 2669523532176452188
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 882917452304049600
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 2392625094926011946
  2⤵
  PID:1860
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  PID:2868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  PID:2492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:1272
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:1720
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:632